Various news outlets report the release ofWannakey, a decryption utility for files encrypted by the WannaCry ransomware. According to the author of the software, it "has only been tested and known to work under Windows XP."

From the Wired article noted below:

Now one French researcher says he's found at least a hint of a very limited remedy. The fix still seems too buggy, and far from the panacea WannaCry victims have hoped for. But if Adrien Guinet's claims hold up, his tool could unlock some infected computers running Windows XP, the aging, largely unsupported version of Microsoft's operating system, which analysts believe accounts for some portion of the WannaCry plague.

[...] Guinet says he's successfully used the decryption tool several times on test XP machines he's infected with WannaCry. But he cautions that, because those traces are stored in volatile memory, the trick fails if the malware or any other process happened to overwrite the lingering decryption key, or if the computer rebooted any time after infection.

NSA-created cyber tool spawns global ransomware attacks

Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.

The unique malware causing the attacks - which has spread to tens of thousands of companies in 99 countries, according to the cyber firm Avast - have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.

The source of the world-wide digital assault seems to be a version of an apparent NSA-created hacking tool that was dumped online in April by a group calling itself the Shadow Brokers. The tool, a type of ransomware, locks up a company's networks and holds files and data hostage until a fee is paid. Researchers said the malware is exploiting a Microsoft software flaw.

One or more anti-virus companies may have been hacked prior to WannaCrypt infecting 75000 Microsoft Windows computers in 99 countries. First, anti-virus software like Avast fails to make HTTP connections. Second, five million of ransomware emails are rapidly sent. Although many centralized email servers were able to stem the onslaught, many instances of anti-virus software had outdated virus definitions and were defenseless against the attack. Indeed, successful attacks were above 1%. Of these, more than 1% have already paid the ransom. Although various governments have rules (or laws) against paying ransom, it is possible that ransoms have been paid to regain access to some systems.

Also, file scrambling ransomware has similarities to REAMDE by Neal Stephenson. Although the book is extremely badly written, its scenarios (offline and online) seem to come true with forceful regularity.

tl;dr: If you have not already patched your Windows computer(s), you may be at risk from a new variant of the WannaCrypt ransomware worm which lacks a kill switch and was seen over the weekend. Sysadmins are preparing for a busy Monday when countless other users return to work and boot up their PC.

WannaCrypt (aka WCry), is a ransomware worm that wreaked havoc across the internet this past weekend. It disabled Windows computers at hospitals, telecoms, FedEx, and banks (among many others). Files on user's machines were encrypted and the worm demanded $300 or $600 worth of Bitcoin to decrypt (depending on how quickly you responded). Reports first surfaced Friday night and were stopped only because a researcher discovered a domain name in the code, which when registered, caused the malware to stop infecting new machines.

We're not out of the woods on this one. Not surprisingly, a variant has been seen in the wild over the weekend which has removed the domain check. Just because you may not have been hit in the initial wave of attacks does not necessarily mean you are immune.

Back in March, Microsoft released updates to Windows to patch vaguely-described vulnerabilities. Approximately one month later, a dump of purported NSA (National Security Agency) hacking tools were posted to the web. The WannaCrypt ransomware appears to be based on one of those tools. Surprisingly, the Microsoft patches blocked the vulnerability that was employed by WannaCrypt.

In a surprising move, Microsoft has just released emergency patches for out-of-mainstream-support versions of Windows (XP, 8, and Server 2003) to address this vulnerability.

What actions, if any, have you taken to protect your Windows machine(s) from this threat? How up-to-date are your backups? Have you tested them? If you are a sysadmin, how concerned are you about what you will be facing at work on Monday?

Cybersecurity researchers at Symantec Corp. and FireEye Inc. have uncovered more evidence tying this month's WannaCry global ransomware attacks to North Korea.

The cyberattack that infected hundreds of thousands of computers worldwide was "highly likely" to have originated with Lazarus, a hacking group linked to the reclusive state, Symantec said. The software used was virtually identical to versions employed in attacks earlier this year attributed to the same agency, the company said in a report late Monday. FireEye on Tuesday agreed WannaCry shared unique code with malware previously linked to North Korea. "The shared code likely means that, at a minimum, WannaCry operators share software development resources with North Korean espionage operators," Ben Read, a FireEye analyst, said in an emailed statement.

[...] The initial attack was stifled when a security researcher disabled a key mechanism used by the worm to spread, but experts said the hackers were likely to mount a second attack because so many users of personal computers with Microsoft operating systems couldn't or didn't download a security patch released in March labeled "critical."

Windows XP, the aging, largely unsupported version of Microsoft's operating system, which analysts believe accounts for some portion of the WannaCry plague.

Oh, sure, lets blame the old cheapskate Luddites running Windows XP for all of this.

As far as I can tell, Windows 10 was vulnerable to this attack until just very recently. Next time, older Windows may not even be a target. But lets go ahead and perpetuate the illusion that having the "latest and greatest" will always keep you absolutely 100.000000000% safe.

I know someone who was surprised to hear about all this and admitted she has been clicking on all email links sent to her. The scariest part to her was that an email containing a bible verse could be dangerous. That just isnt something that seemed possible before ransomware, but now even your mom is scared of email.

Great as now it seems Windows XP will be safer with time while keeping the software base and having ReactOS [wikipedia.org] accomplish better and better compatibility. 32-bit architecture is a sweet spot in terms of memory pointer size, accessible memory and processor efficiency.

4 GB ought to be enough for anybody!

As for sweet spot, a 24-bit system with 24-bits per memory position gives 48 MB system memory size. Maybe 8-bit as a unit for processing isn't optimal either. Maybe 6-bits is better?

That 32-bit x86 systems seem to max out at 4 GByte perhaps indicate a unnecessary bottleneck in that 8-bits per memory address is used. If instead 32-bits is used more memory can be accessed with the same address limit.

There existed a 64-bit version of Windows XP, but it saw little uptake.

On x86, Physical Address Extension allows the use of more than 4 GB of memory.

The 32-bit size of the virtual address is not changed, so regular application software continues to use instructions with 32-bit addresses and (in a flat memory model) is limited to 4 gigabytes of virtual address space.

PAE still leaves the CPU to handle up to 64 GB ie 36-bit addresses. Though it's all hidden to the scheduler side of things. Perhaps the kernel needs to deal with it too for program jumps etc? Data access seems to still be that each address in userland have 8-bits.

So in PAE, the CPU has at least 36-bit virtual addressing. There may be less physical address lines than this. Each process in userland may however only use up to 32-bits.

As for 64-bit Windows XP. The Microsoft ecosystem is very much a Win32 thing. And things will evolve around that unless a big bat is used. Which Microsoft did with their later 64-bit OS, ie to get 32-bit certification you got to present a workable driver for 64-bit and so on.

Actually you could blame Microsoft of that aspect; it wouldn't have been a problem if Windows XP could still get updates automatically. The original patches were released in March; XP and Vista probably had patches created around that time as well because of the extended life contracts some large corporations and governments have with them. They could have just pushed it automatically if they hadn't taken down the public update mechanisms. Tons of systems would have been updated for months before the ransomware hit. Instead, the patches need to be installed manually, and were only released as a response to the malware on a Saturday, so many many systems did not get patched until well after the ransomware was crippled.

Also the patch doesn't work great on Windows Server 2003 systems, or so that has been my experience. Had to leave a few systems unpatched after I rolled back the update... Though this might partly be from the applications those servers are running being extremely fiddly.

Windows 10 (and 7/8/8.1/etc) had the updates available in March. I had very few newer systems I had to worry about because of that.

Yes, you could blame MS for not wanting to support a 16-year-old system with ever-declining users, and dedicating their resources to making sure patches don't break it for those rare users who do bother to patch.But that would put you at odds with the realities of running a profitable company.

As of November 2016, Windows XP desktop market share makes it the fourth most popular Windows version after Windows 7, Windows 10 and Windows 8.1. Windows XP is still very popular in some countries; Africa as a whole and in Asia, e.g. in China, with it running on one third of desktop computers (and highest ranked in North Korea).

> But that would put you at odds with the realities of running a profitable company.

A 2015 IDG News Service article corroborates the tabloids

The Space and Naval Warfare Systems Command, which runs the Navy's communications and information networks, signed a $9.1 million contract earlier this month for continued access to security patches for Windows XP, Office 2003, Exchange 2003 and Windows Server 2003.

The entire contract could be worth up to $30.8 million and extend into 2017.

Even more curious is Vista. If they patched 7/8.1/10 in March, then why wasn't a patch pushed out to Vista too? Vista was still in extended support until mid-April. The end might have been close, but Microsoft should have made the patch available.

There are some shops that rely on software that no longer runs on new hardware and there is no modern equivalent. There are also poor people with XP computers that had been donated and can't afford a new one. I have two XP computers, but they're never online. I just can't see discarding perfectly good (or would be if Microsoft had ethics) being discarded.

For once this decryption code is actually small and can be easily analyzed if you look at the "search_primes.cpp" file.It's based on the fact that the WinXP encryption library does not clean its memory from the key primes when returning, so the main:1/ gets the memory pages in the context of the wannacry process2/ check if it's not used3/ retrieve it4/ parse through and when a section of the memory entropy is low check if number is prime5/ if prime try to divide the N product and report in case of success

Now i'm not a windows developer but i assumed you would not be able to retrieve processes memory pages like this, maybe it only works in root/admin mode? unless XP has no such context?Also this is not cracking anything but just hopping that the memory was not overwritten so i'd say you have a pretty low chance of getting the keys back this way but it's cool to see nonetheless.Cheers-dbe

There ain't shit anybody can do once you have an elevated process encrypting files. We've designed it so that an elevated process encrypting files is protected against tampering and snooping :) Gaining access to keys after the fact is a major problem for you, not so much for the attackers. So we've done our best to lock that out. How well that is done on XP is anyone's guess, but the fact a decrypt utility exists for XP is telling.

The big two problems?

1) Running as administrator.2) Running attachments in email.

The fundamental problem? Running Microsoft at all. It was great growing up, I still really enjoy the interface, but it is an old insecure toy now that needs to be put away by the adults. I'd have more respect for Microsoft if it completely broke with compatibility and designed a new OS (without telemetry).

Regardless of OS though, if you have a long enough backup window with versioning control there is nothing people can do to you like this. I'm completely safe and secure. If my system locked up now with a ransom, I would just laugh my ass off. I would be pretty upset they got a copy, but not worried about me having continued access.

No different then recovering data deleted by an employee upset on termination day.

People can put away Microsoft, I would say it's technically doable now. Microsoft security sucks but that doesn't happen unless someone is choosing the crap. And there's a tendency for people doing the Windows thing to be less competent in security than for other systems.

So the problem boils down to people. And that would mean there are types of people that should not handle IT systems.

Side note: Bell (in Canada) got hacked, and i got informed by haveibeenpwned 1 day before Bell told me. Bell says no passwords were taken, but pwned says there were.Anywho, i changed my password. My wife asked me what the new password was, then asked me why i couldn't have a nice simple password.

Yes, she uses windows, but mostly uses her tablet (android) because she can't get online with her windows laptop: she keeps getting redirected to some website (she keeps saying windows is better than linux, but wont let me try to fix her laptop, so......)

Too many people are just lazy with clicking, passwords, security....... sigh.

-----
That's not flying: that's... falling... with more luck than I have.
---

"keeps saying windows is better than linux"... Do you know how many times I've heard that while fixing their malware infested porn terminal? I sometimes want to install Linux but change the themes to look like Windows and be done with it.

* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.

No, but then nothing ever did, since it was only a test to defend Hairykrishnafeet from the fact that he had sold out, was no longer a Tolkien hippy, but is now a "reverse-racist" old fogey, or in plain words, a Trump-voting Microsoft lackey. Anyone would need a defense from that much shame.